Fedora Linux 8811 Published by

A createrepo_c security update has been released for Fedora 32.



SECURITY: Fedora 32 Update: createrepo_c-0.16.1-2.fc32


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-5d9f0ce2b3
2020-10-18 15:48:50.062311
--------------------------------------------------------------------------------

Name : createrepo_c
Product : Fedora 32
Version : 0.16.1
Release : 2.fc32
URL :   https://github.com/rpm-software-management/createrepo_c
Summary : Creates a common metadata repository
Description :
C implementation of Createrepo.
A set of utilities (createrepo_c, mergerepo_c, modifyrepo_c)
for generating a common metadata repository from a directory of
rpm packages and maintaining it.

--------------------------------------------------------------------------------
Update Information:

createrepo_c 0.16.1 - Update to 0.16.1 - Add the section number to the manual
pages - Parse xml snippet in smaller parts (RhBug:1859689) - Add module metadata
support to createrepo_c (RhBug:1795936) librepo 1.12.1 - Update to 1.12.1 -
Validate path read from repomd.xml (RhBug:1868639) libdnf 0.54.2 - Update to
0.54.2 - history: Fix dnf history rollback when a package was removed
(RhBug:1683134) - Add support for HY_GT, HY_LT in query nevra_strict - Fix
parsing empty lines in config files - Accept '==' as an operator in reldeps
(RhBug:1847946) - Add log file level main config option (RhBug:1802074) - Add
protect_running_kernel configuration option (RhBug:1698145) - Context part of
libdnf cannot assume zchunk is on (RhBug:1851841,1779104) - Fix memory leak of
resultingModuleIndex and handle g_object refs - Redirect librepo logs to libdnf
logs with different source - Introduce changelog metadata in commit messages -
Add hy_goal_lock - Update Copr targets for packit and use alias - Enum/String
conversions for Transaction Store/Replay - utils: Add a method to decode URLs -
Unify hawkey.log line format with the rest of the logs dnf 4.4.0 - Update to
4.4.0 - Handle empty comps group name (RhBug:1826198) - Remove dead history info
code (RhBug:1845800) - Improve command emmitter in dnf-automatic - Enhance
--querytags and --qf help output - [history] add option --reverse to history
list (RhBug:1846692) - Add logfilelevel configuration (RhBug:1802074) - Don't
turn off stdout/stderr logging longer than necessary (RhBug:1843280) - Mention
the date/time that updates were applied - [dnf-automatic] Wait for internet
connection (RhBug:1816308) - [doc] Enhance repo variables documentation
(RhBug:1848161,1848615) - Add librepo logger for handling messages from librepo
(RhBug:1816573) - [doc] Add package-name-spec to the list of possible specs -
[doc] Do not use - [doc] Add section to explain -n, -na and
-nevra suffixes - Add alias 'ls' for list command - README: Reference Fedora
Weblate instead of Zanata - remove log_lock.pid after reboot(Rhbug:1863006) -
comps: Raise CompsError when removing a non-existent group - Add methods for
working with comps to RPMTransactionItemWrapper - Implement storing and
replaying a transaction - Log failure to access last makecache time as warning -
[doc] Document Substitutions class - Dont document removed attribute ``reports``
for get_best_selector - Change the debug log timestamps from UTC to local time
dnf-plugins-core 4.0.18 - [needs-restarting] Fix plugin fail if needs-
restarting.d does not exist - [needs-restarting] add kernel-rt to reboot list -
Fix debug-restore command - [config-manager] enable/disable comma separated pkgs
(RhBug:1830530) - [debug] Use standard demands.resolving for transaction
handling - [debug] Do not remove install-only packages (RhBug:1844533) - return
error when dnf download failed - README: Reference Fedora Weblate instead of
Zanata - [reposync] Add latest NEVRAs per stream to download (RhBug: 1833074) -
copr: don't try to list runtime dependencies dnf-plugins-extras 4.0.12 -
Update Cmake to pull translations from weblate - Drop Python 2 support - README:
Add Installation, Contribution, etc - Add the DNF_SYSTEM_UPGRADE_NO_REBOOT env
variable to control system-upgrade reboot. - [system-upgrade] Upgrade groups and
environments (RhBug:1845562,1860408) livecd-tools-27.1-8 - Fix compatibility
with dnf 4.4.0 / libdnf 0.54.2
--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct 6 2020 Nicola Sella - 0.16.1-2
- Update wrong source file
* Tue Oct 6 2020 Nicola Sella - 0.16.1
- Update to 0.16.1
- Add the section number to the manual pages
- Parse xml snippet in smaller parts (RhBug:1859689)
- Add module metadata support to createrepo_c (RhBug:1795936)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #1683134 - dnf rollback works strange after upgrade/downgrade/remove
  https://bugzilla.redhat.com/show_bug.cgi?id=1683134
[ 2 ] Bug #1698145 - dnf protects certain packages in container, when it should not
  https://bugzilla.redhat.com/show_bug.cgi?id=1698145
[ 3 ] Bug #1779104 - PackageKit: loading of MD_TYPE_PRIMARY has failed.
  https://bugzilla.redhat.com/show_bug.cgi?id=1779104
[ 4 ] Bug #1795936 - [RFE] createrepo_c should be able to handle modules information
  https://bugzilla.redhat.com/show_bug.cgi?id=1795936
[ 5 ] Bug #1802074 - Excessive and non configurable logging in /var/log/dnf.log
  https://bugzilla.redhat.com/show_bug.cgi?id=1802074
[ 6 ] Bug #1816308 - dnf-automatic.timer runs before the computer can connect to the internet
  https://bugzilla.redhat.com/show_bug.cgi?id=1816308
[ 7 ] Bug #1816573 - [RHEL8/RFE] dnf logrotation experience differs from RHEL7 (yum)
  https://bugzilla.redhat.com/show_bug.cgi?id=1816573
[ 8 ] Bug #1830530 - request to re-introduce functionality - dnf [config-manager] --enable/disablerepo a-repo,b-repo,some*
  https://bugzilla.redhat.com/show_bug.cgi?id=1830530
[ 9 ] Bug #1833074 - reposync --newest-only does not download the latest package
  https://bugzilla.redhat.com/show_bug.cgi?id=1833074
[ 10 ] Bug #1843280 - Discrepancies in permission related problems not/reporting
  https://bugzilla.redhat.com/show_bug.cgi?id=1843280
[ 11 ] Bug #1844533 - yum debug-restore removes all but one kernel even though the dump has multiple kernels.
  https://bugzilla.redhat.com/show_bug.cgi?id=1844533
[ 12 ] Bug #1845562 - system-upgrade plugin should do "dnf group upgrade" as part of transaction solution
  https://bugzilla.redhat.com/show_bug.cgi?id=1845562
[ 13 ] Bug #1845800 - History info tracebacks when group is upgraded/downgraded
  https://bugzilla.redhat.com/show_bug.cgi?id=1845800
[ 14 ] Bug #1846692 - dnf should offer a 'history list' in reverse order
  https://bugzilla.redhat.com/show_bug.cgi?id=1846692
[ 15 ] Bug #1847946 - libdnf behavior has changed unexpectedly in 8.3
  https://bugzilla.redhat.com/show_bug.cgi?id=1847946
[ 16 ] Bug #1848161 - Custom DNF variables which worked in CentOS 8.1.1911 are broken in 8.2.2004
  https://bugzilla.redhat.com/show_bug.cgi?id=1848161
[ 17 ] Bug #1848615 - dnf numeric variable substitutions are undocumented
  https://bugzilla.redhat.com/show_bug.cgi?id=1848615
[ 18 ] Bug #1851841 - zchunk issue with packagekit
  https://bugzilla.redhat.com/show_bug.cgi?id=1851841
[ 19 ] Bug #1859689 - cr_xml_parser_generic_from_string fails on large inputs
  https://bugzilla.redhat.com/show_bug.cgi?id=1859689
[ 20 ] Bug #1860408 - Perform "dnf mark install fedora-repos-modular"-like action on upgrades to Fedora 33/34
  https://bugzilla.redhat.com/show_bug.cgi?id=1860408
[ 21 ] Bug #1863006 - log_lock.pid file remain after system reboot
  https://bugzilla.redhat.com/show_bug.cgi?id=1863006
[ 22 ] Bug #1868639 - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1868639
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-5d9f0ce2b3' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys